The purpose of these reports is to inform the fellow sysadmins, so counter-measures can be applied preemptively (instead of handling the problem after it started). Being my personal servers mainly honey-pots, such occurrences are not being blocked on my iptables. COME GET SOME.
The data is provided in text/plain format using 7 bits ASCII, TAB separated fields and CR separated records. Zulu time.
By past experience, hits with:
- less than 10 hits should be ignored;
- between 10 and ~50 can have some relevance but not necessarily demands reaction - unless it's happening in the last week;
- above ~50 is interesting;
- attack hits about 100 and up is definitively an agression attempt and should be promptly counter-measured.
- anything without a hit for the last 6 months can (to tell you the true, should as IPs change owners) be ignored.
I'm a rancorous bitch! :-) Once something interesting is detected, it's not deleted from the database for the life of the server (unless it's proven to be not a real threat). If you think that some issue is being mishandled, drop a mail to admin at lisias dot net.
No IPv6 monitoring will be available for the near future, as AWS is still struggling on it.
The reports are generated using bash, awk, grep, sed and Perl (this last one for performance reasons - it's lighting fast!) and nothing more. Wondering if I'm willing to be embarrassed by publishing it. =]